{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-71241","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2026-02-19T03:00:22.781Z","datePublished":"2026-02-19T14:58:13.755Z","dateUpdated":"2026-03-05T01:29:57.430Z"},"containers":{"cna":{"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2026-03-05T01:29:57.430Z"},"title":"SPIP < 4.3.6 Cross-Site Scripting in Private Area","descriptions":[{"lang":"en","value":"SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen."}],"affected":[{"vendor":"SPIP","product":"SPIP","versions":[{"status":"affected","version":"4.1.0","lessThan":"4.1.20","versionType":"semver"},{"status":"affected","version":"4.2.0","lessThan":"4.2.17","versionType":"semver"},{"status":"affected","version":"4.3.0","lessThan":"4.3.6","versionType":"semver"}],"defaultStatus":"unaffected"}],"cpeApplicability":[{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1.0","versionEndExcluding":"4.1.20"},{"vulnerable":true,"criteria":"cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2.0","versionEndExcluding":"4.2.17"},{"vulnerable":true,"criteria":"cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3.0","versionEndExcluding":"4.3.6"}]}]}],"problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-79","description":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","type":"CWE"}]}],"references":[{"url":"https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-3-6-SPIP-4-2-17-SPIP-4-1-20.html","tags":["vendor-advisory","patch"]},{"url":"https://git.spip.net/spip/spip","tags":["product"]},{"name":"VulnCheck Advisory: SPIP < 4.3.6 Cross-Site Scripting in Private Area","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/spip-cross-site-scripting-in-private-area"}],"credits":[{"lang":"en","value":"Glop","type":"finder"},{"lang":"en","value":"Tom","type":"finder"},{"lang":"en","value":"Mika","type":"finder"}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":4.8,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"ACTIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"source":{"discovery":"EXTERNAL"},"datePublic":"2025-01-16T00:00:00.000Z","x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-20T20:27:42.865951Z","id":"CVE-2025-71241","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-20T20:27:57.434Z"}}]}}